Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://www.git.shady.money/git/atom?h=v2.38.4 2022-08-15T06:19:28Z 2022-08-15T06:19:28Z Junio C Hamano gitster@pobox.com 2022-08-15T06:19:28Z urn:sha1:7fac7b563b0d4f174b30bfbedab67e59af8cce84 Platform-specific code that determines if a directory is OK to use as a repository has been taught to report more details, especially on Windows. * js/safe-directory-plus: mingw: handle a file owned by the Administrators group correctly mingw: be more informative when ownership check fails on FAT32 mingw: provide details about unsafe directories' ownership setup: prepare for more detailed "dubious ownership" messages setup: fix some formatting 2022-08-08T16:25:40Z Johannes Schindelin johannes.schindelin@gmx.de 2022-08-08T13:27:47Z urn:sha1:17d3883fe9c88b823002ad9fafb42313ddc3d3d5 When verifying the ownership of the Git directory, we sometimes would like to say a bit more about it, e.g. when using a platform-dependent code path (think: Windows has the permission model that is so different from Unix'), but only when it is a appropriate to actually say something. To allow for that, collect that information and hand it back to the caller (whose responsibility it is to show it or not). Note: We do not actually fill in any platform-dependent information yet, this commit just adds the infrastructure to be able to do so. Based-on-an-idea-by: Junio C Hamano <gitster@pobox.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-08-08T16:24:00Z Johannes Schindelin johannes.schindelin@gmx.de 2022-08-08T13:27:46Z urn:sha1:d51e1dff980b9fc87002436b6ab36120a39816b1 In preparation for touching code that was introduced in 3b0bf2704980 (setup: tighten ownership checks post CVE-2022-24765, 2022-05-10) and that was formatted differently than preferred in the Git project, fix the indentation before actually modifying the code. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-07-14T22:08:29Z Glen Choo chooglen@google.com 2022-07-14T21:28:01Z urn:sha1:8d1a7448206e11cdea657c35b04cc49db39be933 There is a known social engineering attack that takes advantage of the fact that a working tree can include an entire bare repository, including a config file. A user could run a Git command inside the bare repository thinking that the config file of the 'outer' repository would be used, but in reality, the bare repository's config file (which is attacker-controlled) is used, which may result in arbitrary code execution. See [1] for a fuller description and deeper discussion. A simple mitigation is to forbid bare repositories unless specified via `--git-dir` or `GIT_DIR`. In environments that don't use bare repositories, this would be minimally disruptive. Create a config variable, `safe.bareRepository`, that tells Git whether or not to die() when working with a bare repository. This config is an enum of: - "all": allow all bare repositories (this is the default) - "explicit": only allow bare repositories specified via --git-dir or GIT_DIR. If we want to protect users from such attacks by default, neither value will suffice - "all" provides no protection, but "explicit" is impractical for bare repository users. A more usable default would be to allow only non-embedded bare repositories ([2] contains one such proposal), but detecting if a repository is embedded is potentially non-trivial, so this work is not implemented in this series. [1]: https://lore.kernel.org/git/kl6lsfqpygsj.fsf@chooglen-macbookpro.roam.corp.google.com [2]: https://lore.kernel.org/git/5b969c5e-e802-c447-ad25-6acc0b784582@github.com Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-07-14T22:08:29Z Glen Choo chooglen@google.com 2022-07-14T21:28:00Z urn:sha1:6061601d9f1f1c95da5f9304c319218f7cc3ec75 Use git_protected_config() to read `safe.directory` instead of read_very_early_config(), making it 'protected configuration only'. As a result, `safe.directory` now respects "-c", so update the tests and docs accordingly. It used to ignore "-c" due to how it was implemented, not because of security or correctness concerns [1]. [1] https://lore.kernel.org/git/xmqqlevabcsu.fsf@gitster.g/ Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-07-11T23:08:49Z Junio C Hamano gitster@pobox.com 2022-07-11T23:08:49Z urn:sha1:f2e5255fc2d3a043f37e259012e1ccd013d6e4b8 2022-07-11T22:38:52Z Junio C Hamano gitster@pobox.com 2022-07-11T22:38:52Z urn:sha1:6d65013bb7259fff9e6dc1044786253759c841a4 Typofix in a BUG() message. * cr/setup-bug-typo: setup: fix function name in a BUG() message 2022-06-27T19:41:41Z Junio C Hamano gitster@pobox.com 2022-06-27T19:36:11Z urn:sha1:69ab3309e96279b3f323ceb1b8c2ebf670788c8e Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-06-23T10:36:12Z Johannes Schindelin johannes.schindelin@gmx.de 2022-06-23T10:36:12Z urn:sha1:8f8eea8c3aba154ce1f9eaab4fa06c73b60550dc * maint-2.35: Git 2.35.4 Git 2.34.4 Git 2.33.4 Git 2.32.3 Git 2.31.4 Git 2.30.5 setup: tighten ownership checks post CVE-2022-24765 git-compat-util: allow root to access both SUDO_UID and root owned t0034: add negative tests and allow git init to mostly work under sudo git-compat-util: avoid failing dir ownership checks if running privileged t: regression git needs safe.directory when using sudo 2022-06-23T10:36:03Z Johannes Schindelin johannes.schindelin@gmx.de 2022-06-23T10:36:03Z urn:sha1:aef3d5948c5b00a0409e117da7e720f574040505 * maint-2.34: Git 2.34.4 Git 2.33.4 Git 2.32.3 Git 2.31.4 Git 2.30.5 setup: tighten ownership checks post CVE-2022-24765 git-compat-util: allow root to access both SUDO_UID and root owned t0034: add negative tests and allow git init to mostly work under sudo git-compat-util: avoid failing dir ownership checks if running privileged t: regression git needs safe.directory when using sudo